I would like to know under whose authority AKS is creating the resource.
I'm trying to create an Internal Loadbalancer in AKS, but it fails without permissions.
However, I don't know who to give that privilege to.
The account that connected to AKS or the managed identity of AKS ? Or something else ?
Is the account that connected to AKS in the first place the same as the account that creates the AKS resources ?
It would be great if you could tell me the source of the information as well, as I need the documentation to explain it to my boss.
Best regards.
I'm trying to create an Internal Loadbalancer in AKS, but it fails
without permissions. However, I don't know who to give that privilege
to. The account that connected to AKS or the managed identity of AKS ?
Or something else ?
You will have to provide the required permissions to the managed identity of the AKS Cluster . So for your requirement to create a ILB in AKS you need to give Network Contributor Role to the identity.
You can refer this Microsoft Documentation on How to delegate access for AKS to access other Azure resources.
Is the account that connected to AKS in the first place the same as
the account that creates the AKS resources ?
The account which is connected to AKS is same as the account that created the AKS resources from Azure Portal (User Account) But different while accessing the Azure resources from inside the AKS (Managed Identity / Service Principal).
For more information you can refer this Microsoft Documentation.
Related
I've just setup a Managed Identity in my AKS cluster to authenticate with an Azure Key Vault resource, using the following guide: https://dev.to/vivekanandrapaka/access-secrets-from-akv-using-managed-identities-for-aks-91p
In the guide, we setup a system-assigned managed identity in the VMSS. We then add the VMSS application to an access policy in keyvault and this works, the pods in my AKS cluster now have access to my KeyVault resource.
My question is, I am planning on using managed identity to setup other connections with AKS. Example AKS -> Blob storage, AKS -> Cognitive Services. In order to do this, would I add the same AKS VMSS application as lets say a 'Contributor' role to each of these other services. Or would I assign the Managed Identity object that gets created as a 'Contributor' role to each of these other services? Essentially I'm asking, why am I assigning this VMSS as a role instead of the actual Managed Identity object?
Any clarification would be super helpful - thanks,
When you are creating a AKS Cluster ,it creates a kubelet_identity by default evenif you have not specified anything. Kubelet identity is a User-Assigned Identity. If you go to the VMSS >> Identity , You will see two tabs System-Assigned and User-Assigned , the System-Assigned is by default No but in User defined you will find the aks-agentpool assigned to it . So , Even if you don't assign System-Identity , You can assign contributor roles to the Agentpool managed identity.
Example:
I created a AKS Cluster using the Command az aks create -g ansumantest -n MyAKSansuman --location uksouth --generate-ssh-keys.
If I go to MC_ resource group which is the node resource group , I see the Managed Identity present there:
In Identity Blade of VMSS , you can see as below the System-assigned Identity is not present but User-assigned Identity is present:
Now if I want to add a access policy for the AKS in Keyvault then I can refer to the Managed-Identity:
Generally using the above only you can assign Access Policy for key vault or any RBAC Role required by AKS to access other Azure services. As that is being used by AKS by default.
When you do that assignment of your VMSS, under the covers it is assigning the role to the system assigned managed identity. The "MyAKS agentpool" is a different managed identity from the one you created.
We are dealing with multiple identity concepts, and unfortunately all of them are not super clear. (you can read through a few articles that shed some light: https://learn.microsoft.com/en-us/azure/aks/concepts-identity, https://learn.microsoft.com/en-us/azure/aks/use-managed-identity)
Let's walk through a few basics, so the answer makes more sense:
#1: when you created your AKS cluster, a system-assigned managed identity was created for you. The cluster uses this to authenticate and do actions it needs to do (such as manage VMs)
#2: when AKS created the VMSS, it created a "user-assigned managed identity" which shows up in the "MyAKS-agentpool" in your portal. This is the identity that is deployed on the VMSS for the kubelet to authenticate in the context of that VMSS. Depending on what you are trying to do, you could potentially use it for your purpose, instead of creating a system-assigned managed identity.
#3: when you used a "system-assigned managed identity" on your VMSS, it caused a system-assigned managed identity to be deployed on all those VMs. The notion of a system-assigned managed identity is that it is part of the original azure resource itself: it does not show up as another entity. So when you are giving a role to something, you are picking the VMSS (even though under the covers the access gets granted to the system-assigned managed identity). You will not find this as a separate "managed identity" in the portals.
So hope that answers why you had to grant the role to the VMSS and not the managed identity you see in the portal.
Having said all of this: I generally think it's a bad idea to do this kind of assignment: since the system assigned identity is available to every pod running on the node irrespective of the namespace. And you probably need a better finer granularity than that, in which case a better route is to use the https://learn.microsoft.com/en-us/azure/aks/use-azure-ad-pod-identity
I think the steps in the post is wrong, the user-assigned MSI was created by default when you created the cluster, you then use this MSI to authenticate to other services.
I have a user named rbacWriterAndConsoleNsReader in my azure portal and assigned him Azure Kubernetes Service Cluster User role and Azure Kubernetes Service RBAC Writer role (scope= full cluster)
But when I try to list namespaces or even pods, it shows the below error :
Error from server (Forbidden): namespaces is forbidden: User "rbacWriterAndConsoleNsReader#mayankprac2outlook.onmicrosoft.com" cannot list resource "namespaces" in API group "" at the cluster scope
PS: NO YAML files should be used (as role here is in-built role provided by Azure), All must be done through Azure CLI
Where am I going wrong ? Can anyone pls explain ?
Thanks in advance !
I'm new to Azure and k8s and somewhat confused about when to assign rights to which principal.
Whats the difference between assigning rights to azurerm_kubernetes_cluster.[name].kubelet_identity[0].object_id vs azurerm_kubernetes_cluster.[name].identity.0.principal_id and are there any other principals on the cluster that might be relevant in some other situation?
azurerm_kubernetes_cluster.[name].kubelet_identity[0].object_id = Managed identity of your user node pool ( this identity is needed for example to access the ACR in order to pull images or acces the AKV via CSI integration )
azurerm_kubernetes_cluster.[name].identity.0.principal_id = Managed identity of your AKS ( this identity is needed for example to add new nodes to the Vnet or use Monitoring/Metrics )
I am trying to create Azure Kubernetes Service (AKS) with earlier created virtual network (VN) and container registry (ACR).
I am facing below errors.
My user id does not have sufficient permissions to perform this action. Only with basic network settings and no ACR binding, I can create AKS cluster.
Which role, at Active Directory (AD) level and at subscription level, should my user id be having to create this AKS service?
You don't need any permissions on Azure AD level for this to work, but you need Microsoft.Authorization/roleAssignments/write permissions on the adequate scopes to be able to assign permissions. A built-in role of Owner grants that. Otherwise - create a custom role and assign that to your user.
I am using Azure CLI 2.0 and I am trying to create Azure Container Service type Kurbenetes, with this command (I already created resource group)
az acs create --orchestrator-type=kubernetes --resource-group=mi-shared-docker-test --dns-prefix=kube --name=mishareddocker
I am getting this error
waiting for AAD role to propagate..........Could not create a service
principal with the right permissions. Are you an Owner on this
project?
I can create any vms, webapps etc, but why am I receiving this issue ?
Well, the error states it pretty clearly, you don't have the right permissions, you should read on the ACS\Kubernetes guide.
I understand you are using AZ, not azure, but the idea is the same, you should have enough permissions and a service principal to deploy Kubernetes on Azure.
You need to look specifically at this link.
There's an typo in your command, orchestrator=type should be orchestrator-type (dash instead of equals)